IETF Logo Mail Archive

Re: [DNSOP] [Ext] About key tags

Shumon Huque <shuque@gmail.com> Sat, 02 March 2024 22:13 UTC

Return-Path: <shuque@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 806F8C14F6B8 for <dnsop@ietfa.amsl.com>; Sat, 2 Mar 2024 14:13:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZAO-otChVk1q for <dnsop@ietfa.amsl.com>; Sat, 2 Mar 2024 14:13:21 -0800 (PST)
Received: from mail-io1-xd2c.google.com (mail-io1-xd2c.google.com [IPv6:2607:f8b0:4864:20::d2c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0AD78C14F68D for <dnsop@ietf.org>; Sat, 2 Mar 2024 14:13:21 -0800 (PST)
Received: by mail-io1-xd2c.google.com with SMTP id ca18e2360f4ac-7c83fbeb300so19628439f.3 for <dnsop@ietf.org>; Sat, 02 Mar 2024 14:13:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1709417600; x=1710022400; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=VHpNp+EAhse5a42H6aPgotIeIB8xkdxRbb2Uojbu3Go=; b=Zcf9XIitystAhiJV2tc1kthcfGVEBe0WXGRHPQMsP3eWGnzCAMOxxLupWlitWguTVV vnbZhhfB5Vif1EaB5PgYlBKiWPuQQfHX3muocKL5z0RMDHoWaiyzqpur5vPQ6CUvovKI ldynQT2tkszkGtc3oaFZA1JSV9jX4yvLUySXSKmVoYfxs1wFmvtnjBed2jzpnmcXVhch +qYQxGb9fD49O8pG+f2qET513fQx1JI6LqLpissYO4bReYDMb2ujE0zAVv1H2mj/t2+Y N5kXzZME97Vf75SQSRgOKIhFCl8n6voz7VMipuilwfQSuAy+qAcGWTVK/+IVHsrlV5fi VcPw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709417600; x=1710022400; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=VHpNp+EAhse5a42H6aPgotIeIB8xkdxRbb2Uojbu3Go=; b=V0uZKblF+4MVG/WDItXlnvApkzDeTu/BieXPI1tpt8lOQ/jBafCA2HzhNKRtYdSMp4 jcNHVLtJUPckJNnHpVzG4AfNGMyYbAqn97XeVi6km+KezuSo8QLn15KIB/xQ1bVMdi/9 +DHIlXB4dvgAcMgBLV0oTtxIFmaA465cT7JDv7bb3wMZ+C5bGqbP72dxjrx3OY8DR5K/ XIfnuHBbpYrF0IAH2bQm5/0fTwbpdVFnOTfQJzOXxEikgDCROfF4WT4Fy6esU0aeDYNZ dLkeS+nPeeD4l0I7kDSnQ7A+NfQU55LF/rUi9HTLm5jVSN+yWdWkGPsD+diWezdouKds pzMw==
X-Gm-Message-State: AOJu0YwFWflGmZ05qRaCUegBdyBKO9V+dZPh25+7/U66wofg0N1WsKYV 8I9G50lzN8T/dIcrKM3n8dD/27dk5GJDSnG1dzcWtjxI/TWQUfba0oZvTGf/w28bbQdeqbHgVlo 9TXtL8wG+BwSZajojdoVdpO6mBzdva6ST
X-Google-Smtp-Source: AGHT+IHroFlnqEjsprZP0AtwSNJxiYGJqopK41JrP7B2Ukkd+22wHK9Xm7cTVUKMIQpY7W5PMw3CBM22HTRJKMsLKLI=
X-Received: by 2002:a6b:c8c8:0:b0:7c8:3d06:59f with SMTP id y191-20020a6bc8c8000000b007c83d06059fmr1622978iof.15.1709417600209; Sat, 02 Mar 2024 14:13:20 -0800 (PST)
MIME-Version: 1.0
References: <BBA3FCAF-C5AA-40B0-A1E7-6773330A8E30@fl1ger.de> <FB36282B-5C87-4ED0-8669-D0438666F08D@strandkip.nl> <CANLjSvUi31srBhcUP513egeiKHGfMRyyRZrqYwLHug_n_i=K2A@mail.gmail.com> <D36D404C-C495-4838-BECA-417801327282@icann.org> <m1rg5V1-0000M5C@stereo.hq.phicoh.net> <5B66188E-0615-45C4-BAD3-F546F7F88254@icann.org> <m1rg7sM-0000LXC@stereo.hq.phicoh.net> <fbdb9145-4f98-469d-a8cb-b0a5dedd0ca2@desec.io>
In-Reply-To: <fbdb9145-4f98-469d-a8cb-b0a5dedd0ca2@desec.io>
From: Shumon Huque <shuque@gmail.com>
Date: Sat, 02 Mar 2024 17:13:09 -0500
Message-ID: <CAHPuVdWP6kogMaBeDGESOPbTSHBVmZvnKg7dw-uBCh_W5Rz25A@mail.gmail.com>
To: dnsop@ietf.org
Cc: Peter Thomassen <peter@desec.io>, Philip Homburg <pch-dnsop-5@u-1.phicoh.com>, Edward Lewis <edward.lewis@icann.org>
Content-Type: multipart/alternative; boundary="000000000000d558520612b4cc2a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/sRKZ3WneFzVl98pMvkfHFB2292Q>
Subject: Re: [DNSOP] [Ext] About key tags
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Mar 2024 22:13:21 -0000

On Sat, Mar 2, 2024 at 3:57 PM Peter Thomassen <peter@desec.io> wrote:

>
> On 3/1/24 14:44, Philip Homburg wrote:
> >> Seriously, while I do believe in the need for a coherent DNSKEY
> >> resource record set, there are some multi-signer proposals that do
> >> not.  If the key set has to be coherent, then someone can guard
> >> against two keys being published with the same key tag.  The recovery
> >> may not be easy as you'd have to determine what key needs to be
> >> kicked and who does it and where (physically in HSMs or process-wise).
> >> I have some doubt that key tag collisions can be entirely avoided.
> >
> > So now we moved the problem away from the core DNSSEC protocols to the
> > realm of multi signer protocols.
>
> The core DNSSEC protocol includes multi-signer. RFC 8901 just spells out
> explicitly how it is covered by the protocol; that's why its status is
> Informational.
>

Yes, 8901 was not considered to be a change to the protocol, but an
operational model that accommodated multiple signers. There was some
discussion about whether it should be a "BCP", but the consensus during its
development was that we might do that at a later time once more operational
experience in the field was gained with it.

> The first step to conclude is that for the core DNSSEC protocol, requiring
> > unique key tags is doable.
>
> No. There is no core and non-core part of the spec. Support for multiple
> keys, including keytag collisions, simply is part of that protocol.
>

Yes, I agree. (Banning keytag collisions, if we are proposing that, is a
protocol change.)

Not also that DNSKEY set "coherency" is not really the issue. Even for a
single signer they may be temporarily incoherent across nameservers because
of normal change propagation delay. Multi-signer operations (for steady
state or for a transitional state needed for DNS operator changes) can
extend that period substantially. Collision avoidance is about the key
generation process and the set of entities involved.

Shumon.

v2.23.0 | Report a Bug | By Email